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Abstract — In the secure network coding for multicasting, there 
is loss of information rate due to inclusion of random bits 
at the source node. We show a method to eliminate that loss 
of information rate by using multiple statistically independent 
messages to be kept secret from an eavesdropper. The proposed 
scheme is an adaptation of Yamamoto et al.'s secure multiplex 
coding 1 14 1 to the secure network coding |4|, |5|, |20|. 

Keywords — information theoretic security, network coding, se- 
cure multiplex coding, secure network coding 

I. Introduction 

Network coding [1| attracts much attention recently be- 
cause it can offer improvements in several metrics, such as 
throughput and energy consumption, see ||9), lfTO' 1. On the other 
hand, the information theoretic security [ 16] also attracts much 
attention because it offers security that does not depend on a 
conjectured difficulty of some computational problem. 

A juncture of the network coding and the information 
theoretic security is the secure network coding H, 0, which 
prevents an eavesdropper, called Eve, from knowing the mes- 
sage from the legitimate sender, called Alice, to the legitimate 
receivers by eavesdropping intermediate links up to a specified 
number in a network. It can be seen J8] as a network coding 
counterpart of the traditional wiretap channel coding problem 
considered by Wyner ED and subsequently others iTTBI . In 
both secure network coding and coding for wiretap channels, 
the secrecy is realized by including random bits statistically 
independent of the secret message into the transmitted signal 
by Alice so that the secret message becomes ambiguous to 
Eve. The inclusion of random bits, of course, decreases the 
information rate. In order to get rid of the decrease in the 
information rate, Yamamoto et al. Ifl4l proposed the secure 
multiplex coding for wiretap channels, in which there is no 
loss of information rate. The idea of Yamamoto et al. is as 
follows: Suppose that Alice has T statistically independent 
messages S\, . . . , St- Then Si, . . . , S,_i, S;+i, . . . , St serve 
as the random bits making S, ambiguous to Eve, for each i. 
The purpose of this paper is to do the same thing with the 
secure network coding as Yamamoto et al. [14|. 

Independently and simultaneously, Bhattad and Narayanan 
|3| proposed the weakly secure network coding, whose goal 
is also to get rid of the loss of information rate in the 
secure network coding. Their method ensures that the 
mutual information between S, and Eve's information is zero 
for each i. As drawbacks, the construction depends on the 



network topology and coding at intermediate nodes, and the 
computational complexity of code construction is large. In 
order to remove these drawbacks, Silva and Kschischang 
lfl9ll proposed the universal weakly secure network coding, 
in which they showed an efficient code construction that can 
support up to two F 9 -symbols in each S; and is independent of 
the network topology and coding at intermediate nodes. They 
|fl9ll also showed the existence of universal weakly secure 
network coding with more than two F 9 -symbols in S,, but 
have not shown an explicit construction. 

We shall propose a construction of secure multiplex network 
coding that is an adaptation of Yamamoto et al.'s idea [14] 
to the network coding. However, we relax an aspect of the 
security requirements traditionally used in the secure network 
coding. In previous proposals of secure network coding H, 
0, HQ, IID, (20l it is required that the mutual information 
to the eavesdropper is exactly zero. We relax this require- 
ment by regarding sufficiently small mutual information to 
be acceptable. This relaxation is similar to requiring the bit 
error rate to be sufficiently small instead of strictly zero. Also 
observe that our relaxed criterion is much stronger than one 
commonly used in the information theoretic security [16]. Our 
construction can realize arbitrary small mutual information if 
coding over sufficiently many time slots is allowed. 

There are several reasonable models of the eavesdropper 
Eve. In the traditional model used in |l4l. Bl. ifTfl. Ifl9l. EDI. 
Eve can arbitrary choose the set of fj. eavesdropped links after 
learning the structure of network coding and the set of eaves- 
dropped links is assumed to be constant during transmission 
of one coding block. The secure network coding is required 
to leak no information with every set of fj. eavesdropped links. 
We call this model as the traditional eavesdropping model. 
We shall show that the proposed scheme is universal secure 
in Section ITlI-CI in the sense of fl9l . EDI under the traditional 
eavesdropping model. 

However, it is observed in [18] that there is difficulty 
in implementation over the current Internet architecture to 
keep the set of eavesdropped links constant even when the 
set of eavesdropped links is physically constant. Thus, we 
consider another model of the eavesdropper in which the set 
of eavesdropped links is statistically distributed independent 
of the structure of transmitter, the number of eavesdropped 
links is yU per unit time, and the set of eavesdropped links 
is allowed to be time- varying. We call this second model as 
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the statistical eavesdropping model. We shall also show that 
the mutual information is small averaged over any probability 
distribution of network coding statistically independent of any 
other random variables, instead of the mutual information 
being small with every network coding as done in 0, 0, 
[11], [19|, |20|. Since the network coding is often constructed 
in the random manner |[T3l . considering the probability distri- 
bution of network coding and requiring the averaged mutual 
information being small make sense. We also define a Shannon 
theoretic capacity region of secure multiplex network coding 
and show that the proposed construction can achieve that 
capacity region. 

Although Harada and Yamamoto [ 1 1 1 have not explicitly 
stated, the adaptation of the secure multiplex coding lfl4l 
to the secure network coding J4], can be done by their 
strongly secure network coding ifiTI . The difference between 
our proposed scheme and the previous works 0, iTTTI . |fl9l is 
as follows: 

. The computational complexity of constructing network 
coding is huge in 0, ifTTI . while the computational 
complexity of code construction in the proposed scheme 
is that of selecting a random nonsingular linear matrix. 
. The construction of network coding in 0, JTI] depends 
on the underlying network topology, while the proposed 
scheme is independent of it and universal secure in the 
sense of [19|, [ 20 1 under the traditional eavesdropping 
model (see Section Ull-Ct . 
. The explicit construction of universal weakly secure net- 
work coding in |19| supports up to two F 9 -symbols in 
each secret message 5, and guarantees that the mutual 
information between each Si and Eve's information is 
zero, while the proposed scheme has no limitation on 
the size of Si and can make the mutual information 
between any collection (St : i e T) and Eve's information 
arbitrary smalfl provided that the total information rate 
of (S i : i e I) is not too large relative to p. 
• When the total information rate of (S , ■ : i e I) is large 
relative to fx, the mutual information to Eve becomes 
positive, but 0, |[T9l do not evaluate how large it is 
nor their smallest possible value. The proposed scheme 
realizes asymptotically the smallest possible value of 
mutual information with every collection (S; : i e J) 
simultaneously, as well as 01 11 . 
This paper is organized as follows: Section [IT] reviews 
related results used in this paper. Section [ill] introduces the 
strengthened version of the privacy amplification theorem and 
the proposed scheme for secure network coding, then proves 
the asymptotic optimality of the latter. Section [IV] concludes 
the paper. 

II. Preliminary 

A. Model of network coding 

As in 0, 0, 0, flj], ED, ED we consider the single 
source multicast. The network model is either acyclic or cyclic, 

1 The mutual information turned out to be exactly zero, see Appendix [E] 



and each link has either no delay or unit delay. We assume 
the linear network coding JT3], and a link carries single F 9 
symbol per time slot. The linear combination coefficients at 
each node are fixed so that every legitimate receiver can 
receive n symbols per time slot from the source. Linear 
combination coefficients at a node are allowed to change at 
each time slot except in Section IIII-CI We shall only consider 
the eavesdropper Eve and forget about the legitimate receivers. 
We shall propose a coding method encoding information over 
m time slots at the source node. Therefore, the source node 
transmit (m x n) F q symbols in a single coding block. Eve can 
eavesdrop p links per time slot. We assume p < n throughout 
this paper. The total number of eavesdropped links is therefore 
mp. 

B. Two-universal hash functions 

We shall use a family of two-universal hash functions J6) 
for the privacy amplification theorem introduced later. 

Definition 1: Let T be a set of functions from a finite set 
S\ to another finite set S%, and F the uniform random variable 
on f . If for any x\ + e Si we have 

Pr[F(*i) = F(x 2 )] < -i-. 
then T is said to be a family of two-universal hash functions. 

III. Construction of secure multiplex network coding 

A. Strengthened privacy amplification theorem 

In order to evaluate the mutual information to Eve when the 
rate of secret information is large, we need to strengthen the 
privacy amplification theorem originally appeared in |]2], lfl2ll 
as follows. The original version of the privacy amplification 
theorems 0, lfT2l cannot deduce Eq. (fTTT i while Theorem [2] 
can. 

Theorem 2: Let X and Z be discrete random variables on 
finite sets X and X, respectively, and T be a family of two- 
universal hash functions from X to S. Let F be the uniform 
random variable on T statistically independent of X and Z. 
Then we have 

E/exp(p/(F(X); Z\F = /)) < 1 + \SfE[P xlz (X\zy] (1) 

for all < p < 1, where / denotes the (conditional) mutual 
information as defined in [7|. We use the natural logarithm for 
all the logarithms in this paper, which include ones implicitly 
appearing in entropy and mutual information. Otherwise we 
have to adjust the above inequality. Proof will be given in 
Appendix [A] 

B. Description of the proposed scheme 

We assume that we have T statistically independent and 
uniformly distributed secret messages, and that the z'-th secret 
message is given as a random variable S; whose realization 
is a column vector in F^'. The sizes are determined later. 
We shall also use a supplementary random message St+i 
taking values in F* r+1 when the randomness in the encoder 
is insufficient to make Si secret from Eve. We assume mn = 
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k\ + •■• + kj+x- Let X be the set of all bijective F ? -linear 
maps from Y\J=i to itself, and aj be the projection from 
lU + i lE t t0 iifejF*' for * J c {1, r}. In 03 we 
have shown that the family {ffj o L | L e X} is that of two- 
universal hash functions for all + I c {1, T}. Let L 
be the uniform random variable on X statistically independent 
of S i, . . . , Sj+\, and arbitrary fix nonempty I c {1, . . . , T}. 
Define X to be the random variable L~ X (S\, St, St+i)- 
The source node sends X to its n outgoing links over m time 
slots. Our construction just attaches the inverse of a bijective 
linear function to an existing network coding. 

By the assumption on Eve, her information can be ex- 
pressed as BX by using a pm x mn matrix B over E q . We 
regard B as a random variable (matrix) and its probability 
distribution is denoted by P B . We make no assumption on 
P B except that the rank of B is at most pm and that B is 
independent of Si, Sj+\, L and X, which means that 
Eve does not change B by watching the realization of L. 
When the random network coding is used and Eve can choose 
locations of up to p eavesdropping links but cannot choose the 
linear coefficients of random network coding, the statistical 
independence assumption on B looks reasonable. From the 
uniformity assumption on S ,-, the conditional distribution Px\l 
is uniform with every realization of L. This means that X and 
L are statistically independent and P x is uniform. For fixed 
Z, the set {x e F™ | Bx = z} has q ""™ w vectors. Thus, 
the conditional distribution Px\BX,L,B(x\z,£,b) is the uniform 
distribution on the set of q mn - makh elements with every triple 
of z, I and b. We have 



Px\bx,l,b{Az, I, b) = Px\bx,b( x \z> b) = q 



-(mn— rank/?) 



(2) 



Arbitrary fix nonempty I c {1, T], denote the collection 
of random variables (5, : i e J) by Sj, also fix a realization 
b of B, and let kj = YiieX^i- Under these notations, we can 
upper bound the mutual information I(S j\bX\L) as 



E e exp(p/(S j; BX\B = b,L = €)) 

< 1 + q pkl E[P x]bx (X\bX) p ] (by Theorem 
= 1 + q pkl E[(q- (m "- rdnm ) p ] (by Eq. ©) 

< 1 + q P k iq-'"P^ (because rankfc < fim) 



(3) 



1 + q 



—mp(n-fi—kz /m) 



(4) 



for < p < I. One can also see that 

E [P I(S i; BX\B = b,L = £) (5) 
logexp(E f p/(S j; BX\B = b,L = €)) 

< log E ( exp(pI(S j- BX\B = b,L = £)) 

< log(l + q -"'P("-f- k iM) 

< q- m P < - n -f- k il m 'i (g) 
for < p < 1. Averaging Eqs. (fill-© over b we have 

E bJ pI(Sr, BX\B = b,L = £)< q-nptn-n-kx/m)^ (7) 
E b ,c exp(p/(5 j; BX\B =b,L = €))<!+ q ->^-p- k iM_ (g) 



Fix C\ > 2x(2 r -l). Equation © and the Markov inequality 
yield that 

PrX 7>1 < 1/Ci 

for any single nonempty I Q {1 T], where X/,i '■={£] 

E b I(Sj;BX\B = b,L = {) > CiE w /(5 7 ;BX|B = b,L = £)}. 
Thus, 

PrUj^Xj,! <(2 r -l)/d. 
This means that a realization ( of L satisfies 

E b I(S j; BX\B = b,L = £) 

< CiE w 7(5 1\ BX\B = b,L = £) 

< C x q- mpin -^ kllm) lp (9) 

for all the (2 T - 1) nonempty subsets I of {1, T] 
with probability at least 1 - (2 T - 1)/Ci. Defining another 
subset Xj, 2 := K I E b exp(pI(S T ; BX\B = b,L = €)) > 
CiE b , c exp(fiI(Sr,BX\B = b,L = £)), by Eq. © and the 
Markov inequality we obtain 

Pr U T:J#0 (X/,i U X/, 2 ) < 2(2 r - l)/d. 

Therefore, a realization £ of L satisfies both Eq. © and 

Ei exp(p/(S j; = b,L = €)) < C\{\ + q -™i^-n-*il™\ 

(10) 

with probability at least 1 - 2 x (2 T - 1)/Ci. 
Equation (TlOb implies 



E, 



7(5 j; = b,L = £) 



m 



1 



= -Ei log exp 7(5 j; = b,L = £) 
m 

< - log E b exp 7(5 j; = b,L = £) 

m 

< + l 0g (l + q-mpin-n-krlm^ (by Eq ^ 

mp mp 

< 1+1 ° gCl +(k I /m-(n-p))logq, (11) 

for - (n - p) > 0, where in Eq. ( fTTT l we used log(l + 
exp(x)) < 1 + x for x > 0. Note that Eq. © is minimized at 
p — 1, because its partial derivative with respect to p is 



Ciq -mp(n-ii-k/m) C x m{n-p- k/m) \og(q)q- m P { "- 



p p 

which is negative for all < p < 1. By the same reason Eq. 
(fXTb is also minimized at p = 1. 

Fix C2 with C2 > 2 x (2 r - 1). By the same argument as 
above, we see that for a realization £ of L satisfying both Eqs. 
© and (fTTT l. with probability at least 

l-2x(2 r -l)/C 2 , (12) 

a realization b of B makes 

7(5 j; BX\B = b,L= £) < CiC 2 q' mp{n ^ kl/ '" ) lp, (13) 



3 



I(S 7 ; BX\B =b,L 



1 + log C2 + log Ci 



m mp 

+ (k I /m-(n-p))\ogq. (14) 

Even when we choose large C2 and C\ and make the 
probability of b and t satisfying Eqs. ( fT3l ) and ( [Pil l large, we 
can make the upper bound ( TTST i arbitrary small by increasing 
m. This observation enables us to use a fixed bijective linear 
function I that is agreed between the legitimate sender and 
the receivers in advance. The legitimate receiver can apply 
the agreed I to the received information in order to restore the 
original messages 5,. 

One can easily see that if p — 1 and kj < m(n —fi — <5j) with 
6j > 0, then the upper bound (fT3l l on the mutual information 
exponentially converges to zero as m — > 00. This means that we 
can transmit (n —p) F 9 -symbols in the z'-th secret message per 
time slot with arbitrary small eavesdropped information when 
the encoding is allowed to be done over sufficiently many time 
slots. On the other hand, if m(n - p) < kj < m(Rj - 6j) with 
61 > and Rj > 0, then by the upper bound ( TT4T > we see the 
mutual information per symbol is upper bounded by 

I{Sf,BX\B = b,L = €) 
<R T -(n-p) 



for sufficiently large m. In Section IIII-DI we shall show that 
the proposed scheme is asymptotically optimal by capacity 
consideration. 

Remark 3: The meanings of C\ and C2 are as follows: At 
Eqs. (0 and (0, there might not exist a realization i of L 
that satisfies Eqs. (O and ([8]) for all subsets I of {1, 
T) simultaneously. By sacrificing the tightness of the upper 
bounds, we ensure the existence of t satisfying Eqs. © and 
dlOl l. At Eqs. (0 and ( [Tol l, realizations b of B might satisfy 
Eqs. © and ( TTOb with unacceptably low probability. Again by 
sacrificing the tightness of the upper bounds, we ensure that 
the eavesdropping matrix B satisfies Eqs. (fT3l l and (fl4l with 
comfortably high probability. 

C. Security analysis of the proposed scheme under the tradi- 
tional eavesdropping model 

In the preceding study of secure network coding |@], 0, 
HU, EEL ED, it is assumed that 

. the eavesdropper Eve can choose p eavesdropped links 

per unit time after learning the structure of network 

coding, and 

. the set of eavesdropped links is constant during transmis- 
sion of one coding block. 
In Section U we called the above assumption as the traditional 
eavesdropping model. Under the above assumption, the num- 
ber of possible sets of eavesdropped links is constant, say Ce, 
independent of m. If we take the random variable B according 
to the uniform distribution on the sets of eavesdropped links 
and the probability of some event of B is larger than 1 - 1 /Ce 
then that probability must be one. Set C2 in Eq. (TT~2T > such that 
1 - 2 x (2 T - 1)/C 2 > 1 - I/Ce, then we can see that Eqs. 
CfT~3T > and ( TBI hold with every realization of B. In addition 
to this, the proposed construction of coding does not depend 



on the network topology nor coding at intermediate nodes. 
In that sense, the proposed scheme is universal secure [19|, 
[20] except that the proposed scheme can make the mutual 
information arbitrary smal0, while |[T9l , ll20l make the mutual 
information exactly zero. 

D. Capacity consideration of the proposed scheme 

Firstly, let us define the achievable rate tuple and the 
capacity region as in 0. 

Definition 4: Suppose that we are given a sequence of 
pm x mn random matrices B m whose distribution Pb„ has no 
restriction except that the rank of B m is always pm and that 
B m is independent of any other random variables. Let e m be a 
stochastic encoder from Yu=\ F™*"" to F™', d m either stochastic 
or deterministic decoder from FT" to FJiLi F™*"", and S ^ m the 
uniform random variable on F„ '■" , for i = 1, . . . , T and m — 1 , 
2, .... If 

lim Pr[(S i, m , . . . , S T , m ) * d m (e m (S i >m , . . . , S T ,„,))] = 0, 

m— >oo 

lim sup 7(5 i>; B m e m (S i >m , . . . ,S T ^)\B m )/m 

m—yoo 

< max jo, -(n - p) + ^ /?, j , 

liminf Ar, m > Rj, 

m—*co 

for all nonempty subsets I c {1, T), then the rate 
tuple (Ri, Rt) is said to be achievable for the secure 
multiplex network coding with T secret messages and up to 
p eavesdropped links per time slots represented by random 
matrices B m , where S z, m denotes the collection (S J>m : i e J) 
of secret messages 5,-. m . We also define the capacity region 
of ¥ q -linear secure multiplex network coding as the closure 
of such rate tuples (R\, Rj) over all the sequences of 
encoders and decoders. 

Theorem 5: The capacity region F^-linear secure multiplex 
network coding is given by rate tuples (R\, . . . , Rt) such that 



Z 



< Ru 



Ri < n. 



Proof. The fact that every rate tuple given by the above 
equation is achievable is already proved in the previous 
section under stronger requirements, namely Pr[(5i im , 
Sr,m) * d m (e m (S Um , S T ,m))] = for all m, limsup,,,^ 
I(S /,,„; B m e m (S L , m , . . . , S T , m )\B m )/m < max{0, £, eJ fl,-(n-//)}, 
and lim m ^ 0O 7(5 j, m ; B m e m (S i >m , . .., S T , m )\B m ) = for I with 
TjieiRi < ( n - I 1 )- We have to show the so-called converse 
part of the coding theorem. Fix an arbitrary nonempty subset 
I Q {1, T) and a sequence of random matrices B m , and 
suppose that we have a sequence of stochastic encoders as 
defined in Definition [4] with 

lim inf V K Um > V R t + 5 



iel 



(15) 



2 The mutual information turned out to be exactly zero and our scheme is 
exactly universal secure in the sense of 1191 . 1201 . see Appendix 151 
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for 6 > and suppose also that 

lim sup 7(5 j, m ; B„,e m (S i,„„ . . . ,S T ,m)\B m )/m 

<max|o,^«i-(/i-ju)|. (16) 

By Eq. ( fT6b there exists a sequence of fan x mn matrices b m 
such that 

lim sup 7(5 j, m ; fc m e m (5 i >m , . . . , 5 T ,m))/m 

m— >co 

< lim sup 7(5 T ,m, B m e m (S i, m , . . . , 5 T ,m)\B m )lm 



77(5 



,5r, m ))-l 



log I fife/ F™ 



1 



iel 



ZieJ «i> log 9 

1 I{S i,m\B m e m (S \ M 



n+fi) log 9 

, 5 T,m)\B m ) 



< max jo, ^ R/ - (n - (i) j 



(17) 



For every m, define a„, to be an yum x fim matrix and c,„ to 
be an mn x wn matrix such that a m b m c m is a matrix of the 
horizontal concatenation of the fim x fim identity matrix and 
the zero matrix. By Eq. (fTTT i and the data processing inequality 
we have 

lim sup7(5/, m ; a m b m c m e m (S i, m , . . . ,S T , m ))/m 

<max|o,^/?i-(n-Ai)|. (18) 

Define Xjj/ as the first /jm components in the random vector 
em(Si,m> Sr,m), and X®? as the remaining components in 
e m (S hm , S T ,m)- We have 

H(S I, m \e m {S i >m , . . . ,5 T,m)) 

= H(S I , in )-I(S I , m ;XH\xW) 

= H(S x , m ) - I(Si,,„;X^) - I(S T , m ;X^\X^) (by the chain rule) 
= H(S Itm )-I(S 

~ I(S I, m \ [XjJ ) 

> 77(5 j, m ) - 7(5 j, ffl ; fc m e m (5 !,„,, . . . , 5 r , m )) - 7(5 j, m ; X^IXjJ*) 

> 77(5 j, m ) - 7(5 !,,„■ b m e m (S ,, m , ...,S r>m )) - i7(X<f ) 

> m^^ >m log^-7(57 

,m» b m e m (S i ?m , . . . , 5 r,m)) 

- m(n - yu) log q 

> m [[^j K i,m -n+fijlogq- 7(5 j 

,m» @m&m{p 1, 

„„..., 5 T,m))lm\ 

iel 



(19) 

m m 

By Eqs. ( fT51 ), ( fT6l ) and ( fT9] > we can see that 

limsup m _ i0O Pr[(5i im , 5t>,) * d m (e,„(S i,,„, S T , m ))] 
> 6/(6 + J^iejRd > 0. This shows that the limit of mutual 
information 7(5 j >m ; B m e m {S\ M , 5 T,m)\B„,)/n cannot be 
lower than 2, e j/?i — (n - ft) while keeping the sum of 
information rates Yjiei K i strictly larger than 2, e j/?/. ■ 

IV. Conclusion 

In the secure network coding, there was loss of information 
rate due to inclusion of random bits at the source node. In 
this paper, we have shown that a method to eliminate that loss 
of information rate by using multiple statistically independent 
messages to be kept secret from an eavesdropper, and called 
the proposed scheme secure multiplex network coding. The 
proposed scheme is an adaptation of Yamamoto et al.'s secure 
multiplex coding |[T4l to the secure network coding 0, 



> m [(^j Ki,m ~n+n)\ogq 
iel 

- 7(5 j, m ; B m e m (S i, m , . . . , 5 T,m)\B„,)/m], 



where 77 denotes the (conditional) entropy as defined in Q. 
By abuse of notation, re-define arj to be the projection from 

nLi to n fe jF* for * I c {1 T}. By using Fano's 

inequality [7 Theorem 2.10.1] 

Pr[(5 l,mt • • • > 5 T,m))] 

> Pr[5 T ,m * aj(d m (e m (S i >m , . . . ,S T , m )))] 
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Appendix A 
Proof of Theorem [2] 

In order to show Theorem [2] we introduce the following 
lemma. 

Lemma 6: Under the same assumption as Theorem [2] we 
have 

E f exp(-pH(F(Xy, Z\F = /)) < \S\~ P + K[Px\z{X\Zf] (20) 

for <p< 1. 
Proof of Theorem [2] 

E f exp(pI(F(X);Z\F = f)) 



5 



= E f exp(pH(F(X)\F = f) - pH(F(X);Z\F = /)) 

< E f \Sfexp(-pH(F(X);Z\F = /)) 

< E f \Sn\S\- p +E[Pxiz(Wl) (by Eq. ©) 

= 1 + \S\ P E[P X]Z (X\Z) P ] m 

Proof of Lemma [6] Fix z & X- The concavity of x p for < 
p < 1 implies 

E/^P /( x)|z(*k) 1+p 
= ^P^(x| Z )E / ( J] Px|z(^'k)) P 

xe* x'ef-Hx) 

<Yj P MAz){E f Yj Px\z{x'\z)f . (21) 

xeX x'ef-'ix) 



Since / is chosen from a family of two-universal hash func- 
tions defined in Definition [Tj we have 



(*) < Px\z(x\z) + 2 



x+x'eX 
-1 



Px\z(x'\z) 
\S\ 



< Px[z(x\z) + \S\ 

Since any two positive numbers x and y satisfy (x+y) p < xP+yf 
for < p < 1, we have 



(Px\z(x\z) + \Sr x f < Px\z(x\zf + \s\- p . 

By Eqs. (fJJ} and ( 1221 we can see 

E/ P /( x)|z(^k) 1+p < J] ^|z(x|z) 1+p + |5f p . 



(22) 



s&S 



.voY 



Taking the average over Z of the both sides of the last equation, 
we have 

E f E xz P fmz (f(X)\zr < E xz P xlz (X\ZY + \S\- p . (23) 

Define g(p) - E XZ P f( X )\ Z (f(X)\Z) p as a function of p with fixed 
/ and P XZ , and h(p) = log g(p). We have 

g'(p) = E xz P m \z(f(X)\Zf\ogP m]z (f{X)\Z\ 

g"(p) = E xz P f{X)lz {f{X)\zniogP f{X)lz (f(X)\Z)) 2 , 

h'ip) = g'(p)/g(p), 

. g"(p)g(p) ~ lg'(p)] 2 
" (P) = 7T2 • 

Define (X', Z') to be the random variables that have the same 
joint distribution as (X, Z) and statistically independent of X 
and Z. To examine the sign of h"{p) we compute 

g"(p)g(p) ~ [g'(p)f 

= E xzx , z ,p f(X)Z (j(x), zyp mz {f(x'\ zr 

[(logP /(X) |z(/(X)|Z)) 2 - logP /( x)|z(^|Z)logP /(X) | Z (X'|Z')] 

= ^E xzx , z ,P f(X)z (f(X), Z) p P f(X)z (f(X% Z'Y 

[(logP /(Z) | Z (/(X)|Z)) 2 + (logP /(X) | Z (/(X')|Z')) 2 
- 2 log P m \ Z (f(X)\Z) \ogP m]z {f{X')\Z')} 



_ 1 
~ 2 

>0 



E XZX 'z^/(x)z(/(X), ZfP f(X)z (f(X'), Z'f 
[logP f(MZ (f(X)\Z) - logP /(X) | Z (/(X')|Z')] 2 



This means that h"(p) > and h{p) is convex. We can see 

^xzPf(X)\z( 



E xz P f<x)iz (f(X)\Z) p = exp(/i(p)) 



> exp( h(0) +ph'(0)) 

=o 

= exp(-pH(f(X)\Z)). (24) 
By Eqs. ([23j and (EHi we see that Eq. (|20]i holds. ■ 
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Appendix B 
Notes added after publication 

This appendix is a note after submission of the final version 
to Proc. NetCod 2011. In Section lilTCl we claimed that the 
mutual information to Eve can be arbitrary small. This means 
that the mutual information can be made exactly zero for every 
eavesdropping matrix b. The reason is as follows: For fixed b 
and I, we have 

I(S 7 ; BX\B = b,L = €) = H(S T \B = b,L = i)-H(Sr\bX, L = €). 

(25) 

The first term H(S j\B = b,L = €) is an integer multiple of 
logg since S j is assumed to have the uniform distribution. For 
fixed b and i, we have bX = b€~ l (S\, . . . , St+i)- For a given 
realization bx of bX, the set of solutions s such that bx = bl s 
is written as ker(W _1 )+ some vector v. This means that the 
set of possible candidates of Sj given realization bx of bX 
is written as aiikeribt^ 1 )) + aj(v), and S j given realization 
bx is uniformly distributed on aj(ker(b{~ 1 )) + aj(v). Since 
the cardinality of aj(ksr{M' 1 )) + aj(v) is independent of X 
for fixed b and (, the second term H(S i\bX,L - () is also 
an integer multiple of log q. Therefore, if Eq. (fT~3T > holds for 
every B as verified in Section IIII-CI and the RHS of Eq. ( fT3l ) 
is < log q, then the LHS of Eq. ( fT~3l > must be zero. 

In Section U we overlooked the relevant research result 
by Cai ("Valuable messages and random outputs of channels 
in linear network coding," Proc. ISIT 2009, Seoul, Korea, 
Jun. 2009, pp. 413-417). Cai proved that random linear 
network coding gives the strongly secure network coding in the 
sense of ifTTl with arbitrarily high probability with sufficiently 
large finite fields. The advantages of the present result over 
Cai's result are (1) we do not have to change encoding at 
intermediate nodes, (2) our construction is universal secure in 
the sense of 1(191 . l20l . and (3) much smaller finite fields can 
be used than Cai's result. 
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